diff options
| author | Richard Jones <rjones@redhat.com> | 2010-07-21 19:50:06 +0100 |
|---|---|---|
| committer | Richard Jones <rjones@redhat.com> | 2010-07-21 20:48:40 +0100 |
| commit | 637f8df83726ab9b50e8a6d2181bd1e0e93ec13e (patch) | |
| tree | 77e97218a0f9c570bb93b3c913a3f77c51866b4e /src/guestfs.pod | |
| parent | 581a7965faa5bf242ab3f8b7c259ab17c2e967f4 (diff) | |
| download | libguestfs-637f8df83726ab9b50e8a6d2181bd1e0e93ec13e.tar.gz libguestfs-637f8df83726ab9b50e8a6d2181bd1e0e93ec13e.tar.xz libguestfs-637f8df83726ab9b50e8a6d2181bd1e0e93ec13e.zip | |
New APIs: Support for opening LUKS-encrypted disks.
This adds support for opening LUKS-encrypted disks, via
three new APIs:
luks_open: Create a mapping for an encrypted disk.
luks_open_ro: Same, but read-only mapping.
luks_close: Close a mapping.
A typical guestfish session using this functionality looks
like this:
$ guestfish --ro -a encrypted.img
><fs> run
><fs> list-devices
/dev/vda
><fs> list-partitions
/dev/vda1
/dev/vda2
><fs> vfs-type /dev/vda2
crypto_LUKS
><fs> luks-open /dev/vda2 luksdev
Enter key or passphrase ("key"):
><fs> vgscan
><fs> vg-activate-all true
><fs> pvs
/dev/dm-0
><fs> vgs
vg_f13x64encrypted
><fs> lvs
/dev/vg_f13x64encrypted/lv_root
/dev/vg_f13x64encrypted/lv_swap
><fs> mount /dev/vg_f13x64encrypted/lv_root /
><fs> ll /
total 132
dr-xr-xr-x. 24 root root 4096 Jul 21 12:01 .
dr-xr-xr-x 20 root root 0 Jul 21 20:06 ..
drwx------. 3 root root 4096 Jul 21 11:59 .dbus
drwx------. 2 root root 4096 Jul 21 12:00 .pulse
-rw-------. 1 root root 256 Jul 21 12:00 .pulse-cookie
dr-xr-xr-x. 2 root root 4096 May 13 03:03 bin
NOT included in this patch:
- An easier way to use this from guestfish.
- Ability to create LUKS devices.
- Ability to change LUKS keys on existing devices.
- Direct access to the /dev/mapper device (eg. if it contains
anything apart from VGs).
Diffstat (limited to 'src/guestfs.pod')
| -rw-r--r-- | src/guestfs.pod | 31 |
1 files changed, 31 insertions, 0 deletions
diff --git a/src/guestfs.pod b/src/guestfs.pod index 8e3d07c5..5a2e7a5e 100644 --- a/src/guestfs.pod +++ b/src/guestfs.pod @@ -450,6 +450,37 @@ L</guestfs_chmod> after creating each file or directory. For more information about umask, see L<umask(2)>. +=head2 ENCRYPTED DISKS + +Libguestfs allows you to access Linux guests which have been +encrypted using whole disk encryption that conforms to the +Linux Unified Key Setup (LUKS) standard. This includes +nearly all whole disk encryption systems used by modern +Linux guests. + +Use L</guestfs_vfs_type> to identify LUKS-encrypted block +devices (it returns the string C<crypto_LUKS>). + +Then open these devices by calling L</guestfs_luks_open>. +Obviously you will require the passphrase! + +Opening a LUKS device creates a new device mapper device +called C</dev/mapper/mapname> (where C<mapname> is the +string you supply to L</guestfs_luks_open>). +Reads and writes to this mapper device are decrypted from and +encrypted to the underlying block device respectively. + +LVM volume groups on the device can be made visible by calling +L</guestfs_vgscan> followed by L</guestfs_vg_activate_all>. +The logical volume(s) can now be mounted in the usual way. + +Use the reverse process to close a LUKS device. Unmount +any logical volumes on it, deactivate the volume groups +by caling C<guestfs_vg_activate (g, 0, ["/dev/VG"])>. +Then close the mapper device by calling +L</guestfs_luks_close> on the C</dev/mapper/mapname> +device (I<not> the underlying encrypted block device). + =head2 SPECIAL CONSIDERATIONS FOR WINDOWS GUESTS Libguestfs can mount NTFS partitions. It does this using the |